The video will take you through the process I use to detect if there’s an issue and what steps I take to clean the server.

Once you’ve determined there’s an issue, let’s start by collecting IPs from the access logs.

nano /var/log/nginx/access.log

Some things to look for:

POST actions

/wp-login.php (easier to determine with sites with a few users)

No browser set

XMLRCP

WP-JSON

Once you have your list of IPs, run this to block them.

iptables -A INPUT -j DROP -s <IP>

You’ll need iptables-persistent installed. On Ubuntu, you can run this command to install it:

sudo apt-get install iptables-persistent -y

Then run this so when the server restarts, it doesn’t forget the rules:

iptables-save > /etc/iptables/rules.v4

Go through the list of suspicious files that were added or modified that might not look right to you.

Check out Wordfence and go through that list.

Run a new Wordfence scan.

Run a GOTMLS scan. GOTMLS will remove sections of code without affecting the whole file when it detects an issue, which is nice. Wordfence will only repair core files and some plugin files. Others, you’ll have to manually go in to the file and delete the section or whole file if it’s not necessary.

Share story

TJ Nevis

Expert at knowing a little bit about everything - or so I like to think. Husband, business owner, web developer, car enthusiast, animal lover, tinkerer. I run a web development/technology company, NevisTechnology.com where I'm living my dream. Need hosting services, a website, blog, Blogger to WordPress conversion or an e-commerce store?Let's talk!